When Your Endpoint Goes Quiet: Detecting Defender Update-Channel Sabotage on Cloud Workloads

The blind spot is the security tool itself

Most cloud workload defenders spent the last three weeks watching the wrong story.

When researcher Chaotic Eclipse dropped the BlueHammer proof-of-concept on April 7, the attention went straight to the privilege-escalation angle: a low-privileged user on a fully patched Windows 10 or Windows 11 endpoint can ride a TOCTOU race in Defender’s threat-remediation engine all the way to NT AUTHORITY\SYSTEM. Microsoft issued CVE-2026-33825 with a CVSS of 7.8 on April 14 Patch Tuesday. CISA added it to the Known Exploited Vulnerabilities catalog on April 28, with a Federal Civilian Executive Branch patch deadline of May 7, 2026.

That is the headline. It is also not the most dangerous piece.

Nine days after BlueHammer dropped, the same researcher disclosed two siblings: RedSun, a second LPE primitive in the same component, and — more interesting for cloud teams — UnDefend, a denial-of-service primitive that surgically kills Defender’s update channel. RedSun and UnDefend remain unpatched as of this writing. Vectra has dubbed the combined kit a “layered degradation strategy”: chain BlueHammer to gain SYSTEM, then deploy UnDefend so the endpoint quietly stops receiving signatures. The host stays online. The agent reports as healthy. The signatures rot.

For Azure VM, Azure Virtual Desktop, and hybrid Windows estates, this is the failure mode that matters. The cloud control plane sees a green dashboard. The endpoint is drifting blind.

This post is the playbook for finding workloads in that state.

How the update channel breaks (and why it’s hard to see)

Microsoft Defender on Windows runs three independent update streams: the antimalware platform (the agent itself), the antimalware engine (the scanning runtime), and security intelligence (the signature definitions). All three flow through Windows Update, the Microsoft Update Catalog, an internal WSUS, or a configured UNC share, and all three are checked-in by MpCmdRun.exe -SignatureUpdate on a schedule controlled by the Microsoft Defender Antivirus Network Inspection Service and the Microsoft Defender Antivirus Service.

UnDefend interferes at exactly that hand-off. The disclosed primitive does not require kernel-mode access; it operates from a standard user context to abuse the same set of file and registry operations Defender uses internally for its own update bookkeeping. When successful, it produces an endpoint that is:

• Still showing enabled in Windows Security Center and the Defender for Endpoint portal
• Still running a real-time protection process tree (MsMpEng.exe, MpDefenderCoreService.exe)
• Still reporting heartbeats to Microsoft Defender for Endpoint cloud
• And no longer pulling new platform, engine, or signature payloads — for hours, then days

That last condition is the one most security teams have never tuned for. Production telemetry reveals a high-confidence signal: Get-MpComputerStatus will show an AntivirusSignatureLastUpdated, AntispywareSignatureLastUpdated, NISSignatureLastUpdated, or AMEngineVersion that is more than 24-72 hours stale, while the host’s network connectivity to *.update.microsoft.com, *.delivery.mp.microsoft.com, and definitionupdates.microsoft.com is technically still reachable. The agent is not offline. Its update path is poisoned.

Microsoft’s own gradual rollout documentation defines the expected platform and engine cadence as monthly; signatures should refresh on a sub-daily cadence. Anything outside those windows on a non-air-gapped workload is anomalous.

What this looks like across an Azure estate

Cloud impact assessment, by deployment pattern:

Azure Virtual Machines (Windows Server, Workstation SKUs). Defender for Servers Plan 2 streams Defender for Endpoint signals into Microsoft Defender for Cloud. The current detection set heavily favors active-attack signals (process anomalies, suspicious LSASS access, encoded PowerShell). Update-channel staleness is surfaced as a recommendation rather than an alert. Risk: a SYSTEM-level attacker on one VM uses BlueHammer to land, deploys UnDefend, then operates against the rest of the subscription with degraded visibility on the compromised host.

Azure Virtual Desktop (AVD) and Windows 365 Cloud PC. Pooled session hosts are particularly exposed. A single user-context UnDefend execution on a multi-session host blinds the agent for every user that lands on that VM until the next image rebuild. Because pooled hosts are designed to be ephemeral, “the next image rebuild” is the unstated trust boundary — and that boundary is now a TTL on the attacker’s blind spot.

Hybrid / on-prem Windows joined to Microsoft Defender for Endpoint. Same exposure as Azure VMs, plus the additional risk that local WSUS or SCCM is the assumed update source. If UnDefend disrupts the agent’s pull from those internal mirrors, no cloud-side signal exists at all.

Microsoft Defender for Cloud DSPM/CSPM customers. The unpatched RedSun and UnDefend siblings will not light up vulnerability assessment until Microsoft ships and indexes a CVE. Posture management is structurally lagging the threat right now.

The business risk is the gap between “agent reports healthy” and “agent is actually protecting.” That gap is invisible to most CISO dashboards because the dashboards consume the agent’s self-reported status — exactly the surface UnDefend tampers with.

CloudShieldSecure perspective: detection has to live where the truth is

The reason this class of weakness is hard for traditional EDR to catch is that the EDR is the thing being undermined. You cannot ask the agent whether the agent is healthy. The honest signal lives one layer above: in the cloud control plane and the update infrastructure itself.

CloudShieldSecure’s endpoint posture coverage was built around exactly this asymmetry. The platform continuously cross-references three sources that an attacker would need to coordinate to spoof:

1. Azure Resource Graph and Defender for Endpoint API — what the cloud control plane and EDR portal claim about the host’s protection status.
2. Workload-side telemetry — actual Get-MpComputerStatus output, scheduled task health for MpIdleTask and MpScheduledScan, Windows Update client status, and outbound DNS/connection success to Microsoft’s update endpoints.
3. Time-series baselines per workload — the historical refresh cadence for every signature stream, per host, so a stall on a previously well-behaved endpoint is loud rather than averaged into a fleet-wide median.

The flag the platform raises is not “Defender is offline.” It is: “This workload’s signatures and engine version were updating reliably for 90 days, and have not advanced for the last 36 hours, despite reachable update infrastructure.” That is the signal that survives BlueHammer + UnDefend.

The same detection thesis carries to two adjacent gaps surfaced by this disclosure. First, the CIEM angle: BlueHammer’s SYSTEM escalation is an entitlement event — once an attacker holds SYSTEM on a domain-joined Azure VM with managed identity, that managed identity is in play. CloudShieldSecure correlates the endpoint compromise primitives with downstream cloud-credential use. Second, the management-plane angle: UnDefend’s effect (silent posture drift) is structurally similar to disabled CloudWatch agents, paused GuardDuty, and stopped Wazuh services in AWS — all of which the platform monitors as suppression-of-defenses indicators rather than as missing-data noise.

Endpoint protection is one source of truth. It cannot be the only one.

Recommended actions: a 7-day playbook

If you operate a Windows estate on Azure, AVD, or hybrid, work through this checklist before the May 7 FCEB deadline:

1. Confirm BlueHammer patch coverage. Use Defender for Cloud → Recommendations → “System updates should be applied” or Intune compliance reports. Validate KB numbers from the April 14, 2026 Patch Tuesday release notes are actually present, not merely scheduled.
2. Baseline signature freshness, fleet-wide. Run Get-MpComputerStatus against every Windows host (Azure Arc-enabled, Defender for Endpoint live response, Run Command, or your config-management tool of choice). Capture AntivirusSignatureLastUpdated, AMEngineVersion, AMProductVersion, and NISSignatureLastUpdated. Flag anything older than 72 hours that should not be (i.e. excluding intentionally air-gapped workloads).
3. Add a Defender update-channel monitor to your SIEM. Recommended Microsoft Sentinel KQL pattern (template — adjust to your data model):

   DeviceTvmInfoGathering
   | where Timestamp > ago(7d)
   | extend SignatureAge = datetime_diff('hour', now(), todatetime(AdditionalFields.AntivirusSignatureLastUpdated))
   | where SignatureAge > 72
   | project DeviceName, OSPlatform, SignatureAge, AdditionalFields.AMEngineVersion
   

   Pair the alert with a network-side check that the host can reach Microsoft update endpoints — that disambiguates a sabotage event from a legitimate offline workload.
4. Watch for the suppression of defenses ATT&CK patterns. Defender for Endpoint surfaces alerts under T1562.001 (Disable or Modify Tools) and T1499 (Endpoint Denial of Service). Tighten thresholds for the next two weeks; the early UnDefend exploitation Huntress observed matches the Nightmare-Eclipse intrusion pattern.
5. Harden role assignments on the Defender service path. UnDefend’s user-context primitive is amplified when Defender’s local service ACLs are loose. Microsoft’s hardening baselines (Windows Security Baseline, Defender ASR rules) will catch the most common variants — but only if those baselines are enforced and drifted-back-from-default endpoints are detected.
6. Treat AVD pooled hosts as ephemeral fast. If your pool image is older than 30 days, rebuild this week. UnDefend’s blind-spot TTL is the image rotation interval; shrinking that interval shrinks attacker dwell.
7. Monitor for credential-use anomalies on hosts that show signature stall. If an endpoint has a 36-hour signature gap and that endpoint’s managed identity or domain account suddenly reaches into Storage, Key Vault, or another subscription it does not normally touch, treat it as the same incident, not two.

Sources & references

• Microsoft Security Update Guide — CVE-2026-33825 (BlueHammer)
• Picus Security — BlueHammer & RedSun: Windows Defender CVE-2026-33825 Zero-Day Vulnerability Explained
• Huntress — Nightmare-Eclipse Tooling Seen in Real-World Intrusion
• The Hacker News — Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched
• Help Net Security — Researcher Drops Two More Microsoft Defender Zero-Days
• SecurityWeek — Recent Microsoft Defender Vulnerability Exploited as Zero-Day
• Microsoft Learn — Microsoft Defender Antivirus security intelligence and product updates
• Microsoft Learn — Manage the gradual rollout process for Microsoft Defender updates
• TechRadar — CISA Two-Week Deadline on BlueHammer